Exception while enabling the xpack in es7.17


While enabling the xpack in elasticsearch 7.17, we are facing the below issue

ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: IOException[parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)]; nested: IOException[ObjectIdentifier() -- data isn't an object ID (tag = 48)];

Please check & help us on this

Hi @navaneethan,

Can you share your configuration?

Hi @carly.richmond

Below is my elasticsearch.yml conf file

cluster.name: cluster1
node.name: cf3
node.roles: [ data,master ]
http.port: 9106
transport.port: 9116

path.logs: /u01/elasticsearch_7.17.15/logs/${cluster.name}/${node.name}
path.data: /u01/elasticsearch_7.17.15/data/${cluster.name}/${node.name}

bootstrap.memory_lock: true
discovery.seed_providers: file
cluster.initial_master_nodes: cf1, cf2, cf3
action.destructive_requires_name: true

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

Hi @carly.richmond

below are the steps i followed in my 7.17 cluster

in home path

bin/elasticsearch-certutil ca

bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

add the below in each node

bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

updated the yml params 
restarted the Elasticsearch nodes

Can you try running

keytool -list -keystore /path/to/certs/elastic-certificates.p12

(You'll need to replace /path/to/ with the correct path to your certificate file)

I expect that to give a similar error to the one Elasticsearch is logging, in which case we can infer that the problem is with your PKCS#12 file (and we'll need to work out why)

Hi @TimV

We are getting the below result after running the above

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

ca, Mar 4, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): C3:D3:D9:00:2E:F1:F6:D2:09:EB:0A:D3:09:D2:13:3C:30:78:D5:6C:CE:40:9F:CC:57:D2:B1:B8:72:75:33:04
instance, Mar 4, 2024, PrivateKeyEntry,
Certificate fingerprint (SHA-256): ED:FB:32:53:B6:46:10:E9:26:AE:47:13:20:DC:BF:50:8F:AA:F0:48:75:16:C3:24:F3:07:2B:BB:1B:FF:C8:ED

Are you seeing the same error on all nodes?

Please post the full stack trace from the logs so we can try to work out exactly where the problem is happening.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.